Security Gateway Inventory

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.

Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know you can export a list through network objects, but I just want active count for inventory. Any such method/script?

Re: Security Gateway Inventory

I have only tested it with R77.30, R80.10 and R76 (chassis ver) and CP appliances...

You get semicolon separated text like this - you can format it better if you need to

You run it on MDS - it's fairly slow but I wanted to keep it as simple as possible.

Script will use cpmiquerybin to fetch all physical gateways from all CMAs and then cprid_utilto run some commands to collect numbers, so it's fully autonomos - does not need any input nor extra usernames/port openings etc

Re: Security Gateway Inventory

I have only tested it with R77.30, R80.10 and R76 (chassis ver) and CP appliances...

You get semicolon separated text like this - you can format it better if you need to

You run it on MDS - it's fairly slow but I wanted to keep it as simple as possible.

Script will use cpmiquerybin to fetch all physical gateways from all CMAs and then cprid_utilto run some commands to collect numbers, so it's fully autonomos - does not need any input nor extra usernames/port openings etc

Re: Security Gateway Inventory

Was this script supposed to be ran in a special way? When attempting to run this I kept receiving an error regarding the command " AllCMAs". Is this specific command on a certain version of hotfix or a special add in etc? I am new to the Check Point scripting world so forgive me if the question is a little newbish.

Re: Security Gateway Inventory

get_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not foundget_detail_list_of_gw_from_provider.sh:;line;;;;get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found

Re: Security Gateway Inventory

We have created a bunch of scripts that we use to check all kinds of stuff on our managed gateways, but provide our script with a list of hosts to use instead of collecting the systems from a management-server.

To gather the information, we use SSH with certificates to access the devices. It gets the following information from the systems:

Hostname, CP-version (major & minor), cluster-status, secureXL status, uptime, if DNS and NTP are working and if the time is set correctly, if stateful inspection is on or off, the age of the AntiBot/AntiVirus/IPS/Appl/URLf-databases, the size of /var/log/messages (if this is still the default size, it will set it to 10x2MB), if the system is 32 or 64-bit, CPUSE-version, if the box is licensed, the model and the serial number.

The scripts are rather ugly put together, but get the job done and are run on a nightly basis.

The gathered intel is written to a file, so it can be read by other processes and can be used with information we gathered from other vendors' equipment that we manage for customers.

This is combined with information of the expiration-date of VPN-certificates and the version-database we compiled ourselves and this is presented on a web-server, so we have a full overview of (almost) all systems we manage and can do this without the use of SNMP.

The use of SSH that runs over a list of systems to check is a more general way of gathering information about the systems we manage, but a lot quicker than cprid_util (which we do use, but only to gather info on SMB-devices that don't do scripts).

Re: Security Gateway Inventory

Good points Tomer. The reason why I'm pulling info from gateways is that ultimately they have the "correct" information themselves about the model, SW version and take number. Else you really rely on the fact that info in the gateway object in mgmt is 100% accurate that can be misleading sometimes after upgrades when people forget to update it.. As they say - best to hear from horses mouth

Re: Security Gateway Inventory

First of all this is good feedback for us. Consistency between gateway values defined at the Management server and the values on the gateways themselves is something we will try to emphasize better in our next releases.

You can can pull the take number by running “mgmt_cli run script” on the Management server for the script “clish -C ver” on the selected gateway targets.

Re: Security Gateway Inventory

I have a script SK85621 that does some of the inventory collection but it does not tell you the specific model for each firewall. I have looked at the attributes and when you use "appliance type" but I would like the specific platform from each individual ( we have a variety). Which attributes gives me that output. I see a list of attributes but not sure which one would do that (since it is not obvious to me in the list of attributes).

Re: Security Gateway Inventory

When I try to run the script i get this error " ./inventoryscriptcheckmates091818.sh: /bin/bash^M: bad interpreter: No such file or directory", any thoughts on how to fix it? I have not tried the corrected one but will now and let you know if I have any issues.